# nmap

## Basic usage

### Base syntax

```shell
nmap [scan type] [options] {targets}
```

### Target specification

IPv4 address: `192.168.1.1`

IPv6 address: `AABB:CCDD:FF%eth0`

Host name: `www.target.com`

IP address range: `192.168.0-255.0-255`

CIDR block: `192.168.0.0/16`

Input from list of hosts/networks: `-iL <filename>`

### Target ports

`-F`: scan 100 most popular ports

`-p<port1>-<port2>`: port range

`-p<port1>,<port2>,...`: port list

`-pU:53,U:110,T20-445`: mix TCP and UDP

`-r`: scan ports consecutively - don't randomize

`--top-ports <n>`: scan n most popular ports

`-p-65535`: leaving off initial ports make nmap scan start at port 1

`-p0-`: leaving off end port makes nmap scan up to port 65535

`-p`: leaving off start and end port makes nmap scan ports 1-65535

### Probing options

`-Pn`: treat all hosts as online -- skip host discovery

`-PB`: default probe (TCP 80, 445 & ICMP)

`-PS<port list>`: check wheter targets are up by probing TCP ports

`-PE`: use ICMP echo request.

`-PP`: use ICMP timestamp request.

`-PM`: use ICMP netmask request.

### Scan types

`-sn`: probe only (host discovery, not port scan)

`-sS`: SYN scan (<https://nmap.org/book/synscan.html>)

`-sT`: TCP connect scan

`-sU`: UDP scan

`-sV`: version scan

`-O`: OS detection

`--scanflags`: set custom list of TCP using URGACKPSHRSTSYNFIN in asy order.

### Timing options

`-T0`: paranoid scan, a very slow scan (used for IDS evasion)

`-T1`: sneaky scan, excellent for avoiding firewalls (used for IDS evasion)

`-T2`: polite scan, unlikely to interfere with the target system (-10 times slower than default)

`-T3`: normal scan, the default NMAP timing template (based on target responsiveness)

`-T4`: aggressive scan, provides faster results on LANs (may overwhelm targets)

`-T5`: insane scan, a fast aggressive scan (will likely overwhelm targets or miss open ports)

### Output formats

`-oN`: standard nmap output

`-oG`: greppable format

`-oX`: XML format

`-oA <basename>`: generate nmap, greppable, and XML output files using basename for files

### Scripts

`--script`: specify a script to run on the target

`-sC`: equivalent to --script=default

### Misc options

`-n/-R`: never do DNS resolution/Always resolve \[default: sometimes]

`-6`: use IPv6 only

`-A`: use several features, includinig OS detection, version detection, script scanning (default), and traceroute.

`--reason`: display reason nmap thinks port is open, closed, or filtered.

`--open`: only show open (or possibly open) ports

`-v`: increase verbosity level (use -vv or more for greater effect)

### Examples

```shell
nmap -sV {target ip}
```

```shell
nmap -sV -sC {target ip}
```

```shell
nmap -sV -sC -Pn {target ip}
```

```shell
nmap -sV --script http-enum -Pn {target ip}
```

```shell
nmap -p 445 --script vuln -Pn {target ip}
```

```shell
nmap -p 445 --script smb-vuln-* -Pn {target ip}
```

```
nmap -F -sV -sC -sU -T4 {target ip}
```

```shell
nmap -sV -sC -n --min-rate 1000 -T4 {target ip}
```

```shell
nmap -p- -sS --min-rate 5000 --open -vv -n -Pn {target ip}
```

```shell
# split the scan in two phases
ports=$(nmap -p- --min-rate 1000 -T4 -Pn {target ip} | grep '^[0-9]' | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -sV -sC -Pn {target ip}
```

## Links

{% embed url="<https://nmap.org/book/synscan.html>" %}

{% embed url="<https://nudesystems.com/nmap-timing-options-when-and-how-to-use-them>" %}